Re: [dnsdist] How to best handle DNS floods

Fri, 01 Apr 2022 01:12:32 -0700 

Hi,

On 31/03/2022 10:59, me aharen via dnsdist wrote:
And added the action "addAction(RCodeRule(DNSRCode.SERVFAIL), DropAction())" - although I am uncertain if this works as I think it would. 


This will not work as expected, as this rule is going to drop queries 
with a response code set to ServFail, not responses. If you want to drop 
responses instead, which I'm not sure is a very good idea, you need to do:


addResponseAction(RCodeRule(DNSRCode.SERVFAIL), DropResponseAction())


I do have another QPS rule, "addAction(MaxQPSIPRule(50), 
PoolAction("abuse"))", to redirect the flooders.



The only thing I can't do is apply any delay or drop action which would 
disrupt the user's legit queries.



So you have legitimate clients that take part in these DNS floods? Or 
are you concerned about false positive?



Using Dynamic Rule is interesting, but it blocks queries once the 
"exceedServFails" exceeds, blocks legit queries for /32 - which is 
disruptive.



You could use DynBlockRulesGroup:setRCodeRate() [1] to send a truncated 
answer to blocked clients instead of dropping their queries, so regular 
clients can retry over TCP. DynBlockRulesGroup:setRCodeRatio() [2] might 
even be better as it allows you to only block if the ratio of ServFail 
answers among all answers sent to a given client reaches a threshold.



If you are using a recent enough Linux kernel, it is even possible to do 
that with XDP for much better performance, see [3].



Note that it is also possible to use dnsdist to detect and block such 
PRSD attacks, with specific Lua scripts leveraging the ring buffers and 
dynamic blocks. Guidance and support for writing these scripts can be 
provided as part of our commercial solutions which include access to 
professional services.



[1]: 
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRate
[2]: 
https://dnsdist.org/reference/config.html#DynBlockRulesGroup:setRCodeRatio

[3]: https://github.com/PowerDNS/pdns/pull/10498

Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist






















					Reply via email to